The present invention relates generally to computer software, and more particularly, to a system and method for storing data in a tamper proof storage.
In today's computer network environment, large volumes of data are customarily stored and used by various software applications. Data management has become an essential task for many data intensive industries. A smooth business operation depends both on the efficiency and security of the use of the stored data. From the perspective of data management, a database administrator (DB A) is powerful in that he usually has full access to the entire database and all contents stored therein. He can read, write and modify any data stored in the database. In a normal situation, the DBA is endowed with the highest level of trust because of his enormous responsibility. In certain cases, it is desirable to store data in a database in a secure way such that even a privileged user like the DBA should not be able to modify records without detection. For example, it is very important to protect a monotonically increasing audit trail which records actions taken by a user along with his identity against modifications. No one should be able to modify this trail, thus an independent auditor can trace any user's, even the DBA's, actions relating to the database, whereby the integrity and the security of the database are greatly enhanced.
The normal practice consists of reading an audit trail data in a database directly through SQL or JDBC or any such standard client program. Several conventional methods are used for protecting the integrity of the audit trail in a database system. For example, the entire audit trail can be encrypted. Although this encryption prevents access to the trail by the DBA, it does not prevent him from deleting certain records without being detected. Also it hinders the normal practice of reading the trail by users of the database.
As an alternative solution, the audit trail can be validated by a signing process. The signing process corresponds to a digital signature operation which is well known in the industry. This signing process for generating a signature involves taking a message of any length, forming an “imprint” of the message to a fixed length by hashing, and mathematically transforming the hash using cryptographic techniques. While the signature can be generated only by a signer, any other user can verify the generated signature. If a trail for which the signature is attached to has been tampered with, the verifier cannot successfully validate the digital signature. The operations of generating and verifying the signature are computationally expensive because they involve large number churning operations which require significant computer processor time. Moreover, the signing process is directed to the entire trail, not a specific record in it. Under a typical scenario, after all the existing records have been collated, a signature is then generated for the entire trail, and the resulting signature is put in a secure place. Therefore, every time a new record is added to the database, the audit trail is signed again. This method has a heavy computational overhead as the entire audit trail needs to be accessed and signed every time a record is added.
In another alternative solution, the records can be validated by requiring a signature of each record. This method validates the individual records but still fails to prevent the DBA from deleting records without detection.
What is needed is an efficient method and system for keeping a secure database system so that any modifications of the audit trail in a database system by any user including the privileged user like the DBA would be detectable.